Is this way of identify user by api secure and good practice?

Hi, can someone help me with security of this, if this approach is secure, just ok, or if introduces security problems and has better ways to do that. I'm using a custom UI completely customized in react and using the backend to communicate with Zitadel, this is how i'm identifying the user. I know that i need to make some session checks but i'm asking myself if its ok or have improved ways to do that:

public class UserIdentifierImpl(TcktContext context) : IUserIdentifier
{
public async Task<Guid> GetUserIdentifier(HttpRequest request)
{
request.Cookies.TryGetValue("BearerCookieName", out var tokenId);
request.Cookies.TryGetValue("SessionId", out var sessionId);

const string zitadelApi = "http://localhost:8080/";
const string machineToken = "thDiOc52HbaMHj8PmEIcWlv0YBqZC0eF4umUwaE6i5N4UQvuzV5B28WU0eH1O33YfLwqJm4";

using var http = new HttpClient();

http.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", machineToken);

http.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

var createResp = await http.GetFromJsonAsync<theJson>($"{zitadelApi}/v2/sessions/{sessionId}?sessionToken={tokenId}");

if(createResp == null) throw new Exception("user not found");

var user = await context.Users.FirstOrDefaultAsync(x => x.ZitadelId == createResp.session.factors.user.id);

return user?.Id ?? throw new Exception("user not found");
}

}

Ask Inkeep•12/7/25, 10:35 PM

Hi @AwillSoftwares, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/7/25, 10:35 PM

Answer

I wasn't able to find a direct answer about this specific security pattern in the official documentation. However, I can point you to some relevant resources:

Register and Login User with Password in a Custom Login UI (1)
- Shows the session creation and validation flow
Custom UI best practices (2)
- Community discussion about custom UI implementation

Based on the community discussion, there's a note that "these apis should be wrapped by your server, as they need authentication, they are not public" , which aligns with your backend approach.

For more detailed security guidance specific to your implementation pattern, I'd recommend clicking the "Ask for help" button to tag a team member who can review your specific code and provide security recommendations.

Ask Inkeep•12/7/25, 10:35 PM

To learn more, see the sources I considered:

[1] Register and Login User with Password in a Custom Login UI
[2] Custom UI best practices

Ask Inkeep•12/7/25, 10:35 PM

Feel free to tag @Ask Inkeep with additional questions.